BSides Orlando 2015 Keynote

Transcript

1. F O R Y O U R R E G

   Z S O Y O U C A N … Y O D O G I G O T S O M E R E G Z

2. WARNING This talk may contain comments or opinions that at

   times may differ with those of cisco systems. The views expressed here do not necessarily reflect those of cisco systems. Audience discretion is advised.

3. I W O R K [ AT ] C I

   S C O S A N S C O M M U N I T Y I N S T R U C T O R C O - C H A I R O F S O U T H F L O R I D A O WA S P “ T H AT C U LT U R E … P E R S O N … ” A B O U T. M E / M O S E S H E R N A N D E Z @ M O S E S R E N E G A D E M O S E S @ M O S E S . I O Yo dawg, you took a picture of you taking a picture so you can….
4. None

5. T H E FA I L U R E D

   O M A I N

6. H A C K E R C O U T

   U R E The ability to question, or ask why? Are we still curious? Or just Paranoid? The consequences of groupthink.

7. T H E A B I L I T Y

   T O FA I L . C A N W E FA I L ?

8. T H E U N F O R G I

   V I N G M A R K E T P L A C E M AY B E T H I S P E R S O N G O T F I R E D … .

9. Q U E S T I O N S W

   E S H O U L D B E A S K I N G • Should an incident or event immediately cause a Performance Review? • Are we allowed to fail? • Can we fail and what are the consequences to failing? • Once we fail, if we eliminate the person or have a culture of not failing, what have we lost?

10. B U R N T H E W I T

    C H “As soon as we try to simplify down failure to the miscues and mistakes of a few individuals in this system …” “…We deny ourselves an immense amount of learning and understanding.” - S I D N E Y D E K K E R , D E V O P S C A F E

11. - M E “In these complex systems managing complex system,

    We are just actors more than people in control.”

12. T O X I C E N V I R

    O N M E N T S D O N ’ T W O R K H E R E

13. “Unjust responses to failure are almost never the result of

    bad performance. They are the result of bad relationships.” “Unjust responses to failure are almost never the result of bad performance. They are the result of bad relationships.” - S I D N E Y D E K K E R , “ J U S T C U LT U R E ” Busy Empire Stuff

14. A G L A D I AT O R S

    P O R T Information Technology can feel like this most of the time. Consider how many companies you can recall that no longer dominate. A recent example: Zynga, Farmville anyone? In the enterprise: Who stays and Who goes?

15. “Failure is, in a sense, a good thing.” - S

    I D N E Y D E K K E R T H E F I R S T L E S S O N T O G O H O M E W I T H :

16. R E G U L AT I O N I

    S C O M I N G

17. C A L L I T O U T •

    The CFAA is a law, its not regulation. • I don’t want to talk about the CFAA other than to say, it needs to be fixed. • I’m not a lawyer, let alone your lawyer.

18. B R E A C H FAT I G U

    E • The 2014 Numbers: • Community Health Systems (CHS): 4.5 Million People Affected • The Home Depot: 56 Million People Affected • JPMC: 76 Million People Affected • Target: 110 Million People Affected • Ebay: 145 Million People Affected

19. L E T S TA L K A B O

    U T R E G U L AT I O N R E G U L A T I O N

20. T H E F E A R R E G

    U L A T I O N I S S U E S

21. - N O I D E A , W H

    O S A I D O R T H I N K S T H I S I S A G O O D I D E A ? “Regulation is evil, so we will just self regulate.”

22. S O M E T I M E S R

    E G U L AT I O N S A R E G O O D T H I N G S . H O M E S T E A D , A F T E R H U R R I C A N E A N D R E W

23. T H E W O R L D W E

    L I V E I N T O D AY ! YA Y !

24. B A N C A R O T TA •

    Bankrupcy - Comes from the italian Banca Rotta, or Broken Bench. • Most common way a bank goes bankrupt even today? • Liquidity Challenges • Bank Runs • Regulation is said to “help” • Why?

25. E A R LY A I R L I N

    E R E G U L AT I O N • This poster is quite stark today. • We had strict regulations on air travel throughout most of its early history. • NTSB starts in 1926. • Airline De-Regulation Act was in 1976 under carter and really opened up Airline Travel. • We have benefitted from that De- Regulation Today.

26. A I R L I N E D E -

    R E G U L AT I O N • Airline De-Regulation ultimately saved the industry. • Created ‘free market’. • Allowed for faster movement through hubs. • #1 objective of the de-regulation act: Safety. • No one will fly when it’s not considered safe.

27. A L R E A D Y H E R

    E • CFAA - Law Enforcement • CALEA - Law Enforcement • PCI - Industry Regulation (SELF) • NERC - Government Mandate (Corp) • GLBA - Federal Law • SOX - Federal Law (Cyber Component) • DMCA - Federal Law. • CISPA - Brought up again as CISA • PIPA - Currently Dead • SOPA - Currently Dead • Executive Order(s)- Promoting Private Sector Cybersecurity Information Sharing • Breach Notification Laws. M AY B E C O M I N G ?

28. B U T W H Y ! ? • IoT

    • If someone hacks a ‘pacemaker’, ‘insulin pump’, or something else. • Can an attacker cause death. • How would someone know!? • Who is regulating these things?

29. R E G U L AT I O N :

    I T ’ L L B E O K . S T O RY N U M B E R T W O

30. L O O K I N G F O R

    WA R D A N D L O O K I N G B A C K WA R D S The road ahead

31. L E T M E P R O V I

    D E T H E C O N T E X T T H E D I S C U S S I O N A H E A D

32. T E L L M E H O W Y

    O U K N O W. H O W A B O U T TA R G E T ? The Krebs Effect.

33. T H E R E I S A D R

    O P AT T H E B E G I N N I N G O F 2 0 1 4 . W H AT A B O U T T O D AY ? Target Stock

34. C Y B E R O R S O M

    E T H I N G E L S E ? So…..

35. H T T P S : / / H B

    R . O R G / 2 0 1 5 / 0 3 / W H Y- D ATA - B R E A C H E S - D O N T- H U R T- S T O C K - P R I C E S “Today, shareholders have neither enough information about security incidents nor sufficient tools to measure their impact.“

36. I N N O VAT I O N A N

    D P R E D I C T I O N • Target used Predictive and Analytical data points to understand when someone could be expecting a baby.

37. M Y S T E RY If Target is really

    Innovative: What happened?

38. A W O R D O N FA I L

    U R E Shuttles Complexity Failure

39. C H A L L E N G E R

    • Was is technical? • Primary O-Ring, Failure. • Tank Exploded. • In essence there is a technical reason for this failure.

40. C H A L L E N G E R

    • Was is operational? • O-Ring manufacturer did not want to sign off on the launch • O-Rings never had been tested before with cold temperatures • Go Fever had taken hold

41. - S I D N E Y D E K

    K E R , D E V O P S C A F E “… We deny ourselves an immense amount of learning of understanding and learning. Failure is, in a sense, a good thing. “

42. G R O U P A N A LY S

    I S A N D L E A R N I N G Case Study in Cyber Security Proposal

43. * I hate this picture, steal this, make it better

44. T H E C O N C E P T

    I S S I M P L E … . • Work with institutions, educational bodies. • Provide peer-reviewed identification for root cause analysis. • Should not include speculation or biased. • Should be peer reviewed.

45. … T H E E X E C U T

    I O N I S H A R D • Needs to be anonymized. • Anonymization is a challenge. • Needs to provide avenues for both Technical and Operational Interview and Investigation • Needs to provide organizations positive results.

46. F I N D I N G A N S

    W E R S P R O B L E M S O LV I N G

47. PA R T O F T H E A N

    S W E R M E A S U R I N G

48. T H E M E A S U R E

    M E N T S T O RY S A M U R A I

49. H O W D O E S O N E

    T E S T A N E W S W O R D ? • Thanks Freddy • What do Samurai Swords Do? • How does one test the effectiveness of a sword? • Tameshigiri - The idea of Test Cutting • Tsujigiri - Outlawed during the Edo period, but very prevalent

50. T E S T I N G T O K

    I L L • But how does one test the effectiveness of killing? • Cadavers • Emulating bodies, with straw, hay, rice. • Actual Killing • Overall you need to have a method that is repeatable and measurable.

51. M A Z E D U L L ? When

    we track bugs, Green Good, Red Bad are we correctly incentivizing our people?

52. O K , N O T R E A L

    LY YA Y W R I T E M I N I VA N S !

53. M AY B E T H E A N S

    W E R I S L I C E N S U R E ? • The road to licensing does not ‘exclude individuals’. • We are at a point of great change and licensing would slow it down. • Today we are considered an Occupation and not a ‘Profession’. • Professionalism would exclude new individuals from joining our career, quickly.

54. Is Cyber Security: Profession Discipline Occupation [Job]

55. “http://www.nap.edu/catalog/18446/professionalizing-the-nations-cybersecurity- workforce-criteria-for-decision-making" “Cybersecurity is a broad field, and professionalization is

    something that can be undertaken for specific occupations within the field and not the field as a whole.”

56. * I hate this picture, steal this, make it better

57. B E F O R E Y O U A

    D I S C O U R A G E D . • Key things we do not do well to support the effort: • Measuring • Documentation • Sharing Lessons

58. B E F O R E Y O U A

    D I S C O U R A G E D . • Key things we do do well to support the effort: • Sharing stories, at least the pub. • Peer-Reviews (Pseudo) • Have our own language, Have a seat at the table.

59. A P O S I T I V E S

    T O RY • Nursing as a discipline. • In away, we are at the precipice. • It’s an opportunity to cement our futures. • Leave your mark, because your at a time when you can ultimately do so. • The opportunity has never been clearer.

60. W E E E E E E THANK YOU ORLANDO!

    ENJOY BSIDES!

61. http://www.moses.io [email protected] @mosesrenegade